Item: Palo Alto Networks Next-Generation Firewalls - PA Series
Rating: 9
Author: Verified User

Use Cases and Deployment Scope

As with any organization, ours org needed to replace existing infrastructure. At the time we were strictly a Cisco shop top down, but we were open for other bids as well. After a demo, we purchased Palo Alto 5220 based firewalls, with the intent to use it as the central point of authority for all network traffic for our campus. The Palo Alto (PA) firewall is used as the gateway device for all traffic within our organization.

Pros and Cons

The PA handles VPN connectivity without missing a beat. We have multiple VPN tunnels in use for redundancy to cloud-based services.
The PA has great functionality in supporting failover internet connections, again with the ability to have multiple paths out to our cloud-based services.
The PA is updated on the regular with various security updates, we are not concerned with the firewall's ability to see what packets are really flowing across the network. Being able to see beyond just IP and port requests lets you know things are locked down better than traditional firewalls.
It is a great overall kit, with URL filtering and other services that fill in the gaps between other solutions without breaking the bank.

Documentation that is available for solutions from Palo Alto is great. If you find yourself in a situation where something has not been previously documented or implemented, you will have to find out solutions yourself.
The ability to use the API for push/pull information with the firewall was a major selling point. However, some items a person would expect to be readily available through the API do not exist, so either you have to go without or do extensive amount of work to put together, sort, and clean the data from multiple sources (I am looking at you dhcp logs).

Return on Investment

Prior to the purchase of Palo Alto NGFW firewalls, we used various other technologies along with our prior firewalls. After the purchase of the PA5220s, we were able to sunset these other technologies. Retired tech, along with a single pane of glass provides us with more resources to move forward with on other areas. Positive impact for our organization with the purchase of our PA-5220s.

Alternatives Considered

Cisco ASA

We previously used Cisco 5585 ASAs with firepower. We wanted a more holistic solution than what the Cisco ASA was providing for us. In this situation, we needed to have consistency in how rules were applied across multiple types of traffic, while also knowing what kind of traffic was being sent. The inspection capabilities alone sold us on the Palo Alto, and we have reaped significant other benefits as well.

Support Rating

I have had to engage in support multiple times. These times of engaging support was not due to an issue with the firewall itself, but for assistance in troubleshooting with one of our ISPs connection issues. The support staff was very accommodating, treating our issue as if it was an issue with the firewall itself until we proved otherwise. The support staff followed up later to verify what recommendations had been followed by our ISP, which lead our issue to resolution.

Key Insights

Do you think Palo Alto Networks Next-Generation Firewalls - PA Series delivers good value for the price?

Yes

Are you happy with Palo Alto Networks Next-Generation Firewalls - PA Series's feature set?

Yes

Did Palo Alto Networks Next-Generation Firewalls - PA Series live up to sales and marketing promises?

Yes

Did implementation of Palo Alto Networks Next-Generation Firewalls - PA Series go as expected?

Yes

Would you buy Palo Alto Networks Next-Generation Firewalls - PA Series again?

Yes

Other Software Used

AWS EC2 Container Service, Darktrace

Likelihood to Recommend

The Palo Alto device is well suited for a direct replacement for any traditional or other firewall. There is little room for error on this device, it will do exactly what you have it configured for. Between security zones, security policies, nat policies, policy based forwarding, and everything in between, you have to keep your head on straight when making big or small changes.

The Palo Alto does have one overall issue our users report more than anything. The Palo Alto is a strict NAT device, so unless you have the ability to 1 to 1 map IP addresses for your users who need something beside strict NAT limitations, the Palo Alto will cause you grief.

Users and Roles

2100 - All business functions for a university flow through the PA5220, along with student traffic. Any and every business system and application is passing through the firewall. All types of Internet traffic as well, including general Internet traffic, IaaS, SaaS, and other cloud-based systems are moving without issue across the PA5220 firewalls deployed.

Support Headcount Required

2 - For the Palo Alto PA5220 deployment, we have one main administrator and another authorized user supporting the hardware and configuration changes. We have multiple logs writes going out via syslog into a SIEM tool for the better overall management of all alert types, which is also administrated by one of these individuals. The firewall is very capable; your administrators need to be as well.

Business Processes Supported

Inspection
Internet Gateway
VPN
Direct Connect (BGP)
Security Rules

Innovative Uses

Active/Active internet connection failovers
BGP routing for AWS Direct Connect with VPN connectivity for redundancy

Future Planned Uses

Always looking to increase usage of the available API for more automated task creation/closing

Likelihood to Renew

The PA5220s have far exceeded what we have expected out of them. It was a bit of a learning curve coming from another vendor, but everything falls into place now with ease. The capabilities of the solution still surprise us, allowing us to remove other costly hardware and providing a single point of management needed.

Palo Alto NGFWs a success story waiting for you

Software Version

Overall Satisfaction with Palo Alto Networks Next-Generation Firewalls - PA Series